Blog Post

22 October 2015

Stop using CAPTCHAs in your Web forms!

CAPTCHAs are dead!

So I’m sure you’ve bumped into a CAPTCHA if you’ve surfed the Internet at all in the last decade. CAPTCHAs are those Web form images made up of distorted letters and numbers, and you’re supposed to type them into a Web form to prove that you’re not a “robot.”

Here are a few examples of CAPTCHAs to refresh your memory.


Well, I’m happy to say that CAPTCHAs should be dead! All Web designers and developers in the world should feel free to stop using them. Here’s why …

Long live the Honeypot!

So a few years ago, someone came up with a very clever way to foil the Web “robots” that auto-post to Web forms all over the Internet. It’s called a “honeypot.”

Before I go over┬áthe honeypot technique, I need to first explain how these Web robots work. You see, there are “hackers” (which is too kind … they are more commonly referred to as “script kiddies” … a notch or two below true hackers) who have nothing better to do than write programs to auto-fill forms on websites.

Here’s the rub … it’s not like there’s someone actually working on your website to auto-fill out the form and send you spam email. What is actually happening is a person wrote a┬áprogram (a “script”) coded to simply roam, unattended, millions of websites looking for Web forms, and when it comes upon one, it tries to fill out the form with some sort of spam email message. It’s not like someone is targeting your website specifically. The bot just wanders the Internet looking for forms to spam.

So the way that bots work is they look for “signatures” in Web pages’ code that identify a Web form. When they find one, they just fill in the form with random information. So generally Web forms have name, email, maybe a phone, and message/comments fields and a send or submit button. The bot just fills out all these fields and automatically clicks the send button.

Along came the CAPTCHA to stop this from happening. The theory is that bots can only read code, not an image. So the form makes you verify the letters and numbers on the image. The problem with this is that bots started using optical character recognition (OCR) to start reading the images. Hence, CAPTCHAs started having to distort the characters on the image.

Skip ahead a few years, and now the CAPTCHA images are so distorted (to foil the OCR) that half the time, people type in the wrong characters because they can’t read them!

Admit it … you hate CAPTCHAs, don’t you? So does everyone else.

How honeypots foil the bots

Thank you to someone (I don’t know who … I wish I could give them credit) very clever that used some common sense to create a low-tech solution to foil Web bots.

The honeypot technique specifies that one creates a “hidden” field on a Web form. It is hidden to people using code that tells your browser to not display this form field. However, the field still exists in the code. So the unattended bot stumbles on this web form, fills out all the fields and hits the submit button.

But here’s the clever part …

The Web form is programmed to detect if that hidden field was complete. If so, it rejects the form submission. The logic is that if the field was filled in, it must be a bot because a real person wouldn’t be able to see that field.

Amazing, isn’t it? Such a simple solution that could have avoided so much frustration that people have experienced over the years with CAPTCHAs.

Juice Marketing uses honeypot form fields on all the websites we build!

Typically we build WordPress websites for our clients. We use one of two plugins for Web forms, and both have a honeypot feature. We implement it on every website to eliminate Web form spam.

Are “robots” sending you spam email through your website?

Do you still have a CAPTCHA on your website annoying your customers trying to contact you?

Give us a call and we can:

  • remove the CAPTCHA
  • install a honeypot
  • stop the Web form spam
  • and make your customers happy to contact you through your website